3. Neglecting to properly secure certain entrances
Giles believes in the rule that the fewer entrances into a building, the better.
"Every door is another opportunity for someone to get in," he said.
While it is important to have several doors for emergency exits, Giles said they all too often get neglected. He suggested alarms at all doors that have been designated as emergency. Employees should also be asked to demand ID or badges from individuals entering a secure building, he said, and noted the best defense against intruders is a good security awareness program among workers that gets them to notice what is going on around them.
4. Allowing management to ignore security rules
Sure, a good awareness program might ask employees to "check" on one another to ensure they are wearing badges or ID. But what if management is neglecting to follow the rules? Giles said it is a physical security mistake he sees all the time.
"I tell them you have to make a choice. If you are going to have badge-wearing program, you have to wear the badge. If you're not going to wear one, do away with the program because if you don't wear it, you undermine the program."
5. Failing to take time to understand your technology
Physical security technology, such as CCTV, has come a long way in the last decade, noted Giles. The problem is many people don't know how to use it. Often Giles said a good CCTV recording system will be for naught because if there is an incident, the staff doesn't know how to find the recording they need.
"Companies will have a contractor come in an install the cameras, and then there is no follow up to learn how to really use it."
Giles said another common scenario is a building with 40 or more cameras around the facility which use a multiplexer to toggle between cameras and record images. But the switching is done at random and is therefore of little use.
"If you don't set that up properly you might have situation where a person is breaking in a door but you don't capture the event because the recorder was not on the door at that time."
Giles recommends that monitoring systems be configured to have event-driven recording, which means a camera is activated whereever an alarm goes off. (See VMS: How to Manage Surveillance Video.)
6. Failing to secure important rooms inside the building
"We used to have people working the server room all the time (in organizations)," said Giles. "But now they can control what is going on in there remotely. So if someone is going in and out of there, you really want to know who it is and why they are there."
Giles recommends access control systems around data centers that include badges and/or access cards as well as cameras. (See 19 Ways to Build Physical Security into Your Data Center.) He also advises clients who have concerns about proprietary information to secure their mail rooms as well.
7. Overdoing security
Lastly, it's important to remember that these tips are not a one size fits all prescription for your building's security, said Giles. The level of facility security will need to fit the level of risk an organization faces.
"I'm opposed to going into a facility and having them do as much security as they can do," he said. "If you overdo it to where it doesn't make sense, within six months people will have figured out ways to get around security and it will be a waste of money. It has to match the risk and culture of the business.
It's impossible to come up with a formula that says an organization needs specific elements in their building security plan because there are too many variables, Giles noted. Consider your environment and invest appropriately, he said. (For more insight on strategic planning and matching investment to risks, see this excerpt from Giles' book, How to Develop and Implement a Security Master Plan.)